Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA dropping legitimate returning Internet traffic

Hi all,

I recently turned on on the 'stateful' feature on our Internet ASA's. It was once disabled completely due to an Asymmetric routing issue that existed within our network. I have managed to turn this back on for all but the subnets that require an Asymmetric routing path.

Now it seems that the ASA's are dropping a significant amount of packets on the OUTSIDE interface for legitimate returning TCP traffiic. At first glance I thought we were under some sort of attack; where the attacker was reversing the source and destination ports; but the source IP addresses are all legitimate well known websites. There does seem to be a ever so slight performance decrease when surfing the web.

I suspect this has something to do with TCP timeout values on either our downstream Proxy (Blue Coat PRoxySG900) or the ASAs but as far as I know they are both set to there defaults.

The proxy is masquerading the client's IP behind it's IP Address (192.168.30.133) and proxy is natted behind the ASA's OUTSIDE Interface IP Address.

My Syslog Server is being flooded with messages like the ones below;

%ASA-4-106100: access-list outside_access_in denied tcp OUTSIDE/74.125.237.134(443) -> INSIDE/192.168.30.133(64440)

%ASA-4-106100: access-list outside_access_in denied tcp OUTSIDE/54.230.72.134(80) -> INSIDE/192.168.30.133(51842)

When I do a 'show asp drop' I see a huge amount of First TCP Packet not SYN ('tcp-not-syn') drops. I'm not sure whether these are being generated on the INSIDE or the OUTSIDE interface.

sh asp drop

Frame drop:

  Flow is denied by configured rule (acl-drop)                             95989

  First TCP packet not SYN (tcp-not-syn)                                  112941

  Bad TCP flags (bad-tcp-flags)                                                 18

  TCP data send after FIN (tcp-data-past-fin)                               2

  TCP failed 3 way handshake (tcp-3whs-failed)                          3280

  TCP RST/FIN out of order (tcp-rstfin-ooo)                                 14993

  TCP SYNACK on established conn (tcp-synack-ooo)                9

  TCP packet SEQ past window (tcp-seq-past-win)                     2340

  TCP invalid ACK (tcp-invalid-ack)                                            1

  TCP RST/SYN in window (tcp-rst-syn-in-win)                            23

  TCP packet failed PAWS test (tcp-paws-fail)                           2567

  FP L2 rule drop (l2_acl)                                                          240223

  Dropped pending packets in a closed socket (np-socket-closed)              285

Flow drop:

  Inspection failure (inspect-fail)                                                18

Any assistance would be greatly appreciated!!

Best Regards

Brett Verney



Everyone's tags (4)
866
Views
0
Helpful
0
Replies
CreatePlease login to create content